You realise you need to enforce a policy only once things do not 'go as planned' - and having the discussion on acceptance at that point is rather late. And how can users, for instance, know what they are allowed to do with the research data, or when to ask for additional roles and group membership from membership management? 

Who decides when things go south?

The rules of participation define who has the authority to decide, and to suspend or cut-off participants, in case the 'regular' processes break down. While the initial thoughts may revolve around security incidents and who has been granted the 'power' to intervene and stop the incident, there are other times when you need that control, and that control can be both inclusive or exclusive. For example if by standard processes former employees of an organisation are removed from the groups and their roles revoked, there may be good reasons to keep a specific person 'in the collaboration' for a while longer. Why can then trigger a hardship clause in the rules of participation? And if there is no such clause, who is authorised to help? If a collaboration breaks up, or essential rules are violated, who can suspend access, and is there a process?

A hardship clause also helps to retain proper documentation for any exceptions, instead of policy being silently bypassed. Some examples are provided below.

Make sure all of them can access and understand your policies and processes, can work with you when you execute procedures for incident response, and engage with Sirtfi and security readiness exercises. 

"Where the enrolment or approval process described leads to obvious injustice and hardship due to a implementation of the process being unduly hard, a time-limited and documented exception may be implemented after the explicit approval at the appropriate level of Management.
Any such exception must be followed up by immediate and concrete steps to address the deficiencies created within a limited time period commensurate with the discrepancy induced. The invocation of the hardship clause MUST not compromise the integrity or trustworthiness of the system with respect to any participants."

"In exceptional circumstances it may be necessary for participants to take emergency action in response to some unforeseen situation which may violate some aspect of this policy for the greater good of pursuing or preserving legitimate e-Infrastructure objectives. If such a policy violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the Management commensurate with taking the emergency action promptly, and the details notified to the e-Infrastructure Security Officer at the earliest opportunity" (WLCG and EGI top-level policy)

How does escalation fit into an AARC BPA compliant infrastructure?

The AAI is used to grant and revoke access to resources, and the decisions taken during escalation have to be effectuated in the AAI at the appropriate layer. Often that is in the collaboration platform or at the infrastructure layer.

Resources


  • No labels